1 files changed, 54 insertions, 0 deletions

diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 75a1304df..da08daefd 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -19,6 +19,7 @@
 
 import sys
 import os
+import pwd
 import socket
 import datetime
 import traceback
@@ -165,6 +166,7 @@ class Service(object):
         self.dercert = None
         self.api = api
         self.service_user = service_user
+        self.dm_password = None  # silence pylint
 
     @property
     def admin_conn(self):
@@ -534,6 +536,58 @@ class Service(object):
         else:
             root_logger.debug("service %s container sucessfully removed", name)
 
+    def _add_service_principal(self):
+        try:
+            self.api.Command.service_add(self.principal, force=True)
+        except errors.DuplicateEntry:
+            pass
+
+    def _run_getkeytab(self):
+        """
+        backup and remove old service keytab (if present) and fetch a new one
+        using ipa-getkeytab. This assumes that the service principal is already
+        created in LDAP. By default GSSAPI authentication is used unless:
+            * LDAPI socket is used and effective process UID is 0, then
+              autobind is used by EXTERNAL SASL mech
+            * self.dm_password is not none, then DM credentials are used to
+              fetch keytab
+        """
+        self.fstore.backup_file(self.keytab)
+        try:
+            os.unlink(self.keytab)
+        except OSError:
+            pass
+
+        ldap_uri = self.api.env.ldap_uri
+        args = [paths.IPA_GETKEYTAB,
+                '-k', self.keytab,
+                '-p', self.principal,
+                '-H', ldap_uri]
+        nolog = tuple()
+
+        if ldap_uri.startswith("ldapi://") and os.geteuid() == 0:
+            args.extend(["-Y", "EXTERNAL"])
+        elif self.dm_password is not None:
+            args.extend(
+                ['-D', 'cn=Directory Manager',
+                 '-w', self.dm_password])
+            nolog += (self.dm_password,)
+
+        ipautil.run(args, nolog=nolog)
+
+    def _request_service_keytab(self):
+        if any(attr is None for attr in (self.principal, self.keytab,
+                                         self.service_user)):
+            raise NotImplementedError(
+                "service must have defined principal "
+                "name, keytab, and username")
+
+        self._add_service_principal()
+        self._run_getkeytab()
+
+        pent = pwd.getpwnam(self.service_user)
+        os.chown(self.keytab, pent.pw_uid, pent.pw_gid)
+
 
 class SimpleServiceInstance(Service):
     def create_instance(self, gensvc_name=None, fqdn=None, ldap_suffix=None,